Detroit becomes Human
Case Summary
Alonzo Spire is fascinated by AI after noticing the recent uptick in usage of AI tools to help aid in daily tasks. He came across a sponsored post on social media about an AI tool by Google. The post had a massive reach, and the Page which posted had 200k + followers. Without any second thought, he downloaded the tool provided via the Post. But after installing it he could not find the tool on his system which raised his suspicions. A DFIR analyst was notified of a possible incident on Forela's sysadmin machine. You are tasked to help the analyst in analysis to find the true source of this odd incident.
Task 1: What is the full link of a social media post which is part of the malware campaign, and was unknowingly opened by Alonzo spire?
By examining the History file of the Edge browser, located at: ...\detroitbecomehuman\Triage\C\Users\alonzo.spire\AppData\Local\Microsoft\Edge\User Data\Default\, we can view the browsing activity, including websites accessed by the user alonzo.spire, files downloaded, and more. This file can be opened using an application called DB Browser for SQLite.
We observed that the user alonzo.spire accessed a phishing post on the Facebook platform that impersonated a legitimate AI tool.
Task 2: Can you confirm the timestamp in UTC when alonzo visited this post?
Copy the value in the last_visit_time from the same row mentioned in previous question (13355296200136503). This is a WebKit timestamp, so we need to use this Timestamp Converter Tools to convert it to UTC time
Answer 2: 2024-03-19 04:30:00
Task 3: Alonzo downloaded a file on the system thinking it was an AI Assistant tool. What is name of the archive file downloaded?
In the same Database, we will change to table download and check for the downloaded file from the phishing post
Answer 3: AI.Gemini Ultra For PC V1.0.1.rar
Task 4: What was the full direct url from where the file was downloaded?
Change to table downloads_url_chains, we can see that the initial Facebook link redirected to the link for downloading malicious file
Answer 4: https://drive.usercontent.google.com/download?id=1z-SGnYJCPE0HA_Faz6N7mD5qf0E-A76H&export=download
Task 5: Alonzo then proceeded to install the newly download app, thinking that its a legit AI tool. What is the true product version which was installed?
Task 6: When was the malicious product/package successfully installed on the system?
These 2 tasks can be solved simultaneously. To find the malicious file was installed on the host, we will find the Window Event log that have ID 11707 - this event shows that installation operation completed successfully. We will use ChainSaw Tool to automately find the event ID 11707 in the host Windows logs' locations detroitbecomehuman\Triage\C\Windows\System32\winevt\logs
./chainsaw.exe search -t 'Event.System.EventID: =11707' '\detroitbecomehuman\Triage\C\Windows\System32\winevt\logs'
From the image above, the packet named Install was installed on 2024/03/19 04:31:33, this packet has binary: 7B41424332434530312D373841352D343535342D413332412D3434303241344538334242337D
To find the version of the packet, we will find all the events that contain the packet's binary
./chainsaw.exe search -e 7B41424332434530312D373841352D343535342D413332412D3434303241344538334242337D-i '\detroitbecomehuman\Triage\C\Windows\System32\winevt\logs'
Answer 5: 3.32.3
Answer 6: 2024-03-19 04:31:33
Task 7: The malware used a legitimate location to stage its file on the endpoint. Can you find out the Directory path of this location?
At this point, we only know the name of the malicious packet, but we don't have any information about its location on the host. While reviewing the event logs, I discovered an interesting log that contains a PowerShell script execution.
This script reveals that the installation package is located in C:\Program Files (x86)\Google. Since this is a legitimate folder, it could be a technique used by the malware to hide and evade detection.
Answer 7: C:\Program Files (x86)\Google
Task 8: The malware executed a command from a file. What is name of this file?
Task 9: What are the contents of the file from question 8? Remove whitespace to avoid format issues.
Using MFT Explorer to examine the $MFT file (located at \detroitbecomehuman\Triage\C), we can view all the files contained in the Install folder.
Reviewing the contents of install.cmd, it is evident that this program executes a malicious script. The script is designed to bypass common security policies to run a malicious PowerShell command.
Answer 8: install.cmd
Answer 9: @echooffpowershell-ExecutionPolicyBypass-File"%~dp0nmmhkkegccagdldgiimedpic/ru.ps1"
Task 10: What was the command executed from this file according to the logs?
We will check the event log file named "Windows PowerShell," located at \detroitbecomehuman\Triage\C\Windows\System32\winevt\logs. The malicious script will be shown in the image below.
Answer 10: powershell -ExecutionPolicy Bypass -File C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic/ru.ps1
Task 11: Under malware staging Directory, a js file resides which is very small in size.What is the hex offset for this file on the filesystem?
Task 12: Recover the contents of this js file so we can forward this to our RE/MA team for further analysis and understanding of this infection chain. To sanitize the payload, remove whitespaces.
Checking the $MFT file, at path C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\ ,we find a file named content.js. The information of this file is shown in the image below, which includes the hex offset and the suspicious script
Answer 11: 3E90C00
Answer 12: varisContentScriptExecuted=localStorage.getItem('contentScriptExecuted');if(!isContentScriptExecuted){chrome.runtime.sendMessage({action:'executeFunction'},function(response){localStorage.setItem('contentscriptExecuted',true);});}
Task 13: Upon seeing no AI Assistant app being run, alonzo tried searching it from file explorer. What keywords did he use to search?
Task 14: When did alonzo searched it?
To complete this task, we need to examine information in the registry hive. We will use Registry Explorer to explore the NTUSER.dat file, located at \detroitbecomehuman\Triage\C\Users\alonzo.spire\. Next, navigate to the following path to find the keyword that Alonzo searched:
Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery. The image below shows the corresponding value.
Answer 13: Google Ai Gemini tool
Answer 14: 2024-03-19 04:32:11
Task 15: After alonzo could not find any AI tool on the system, he became suspicious, contacted the security team and deleted the downloaded file. When was the file deleted by alonzo?
To check the deleted folder, we can find it in the Recycle Bin. The image below shows the relevant information.
Answer 15: 2024-03-19 04:34:16
Task 16: Looking back at the starting point of this infection, please find the md5 hash of the malicious installer.
I searched through the available evidence but couldn't find any hash value for the malware. However, I was able to find the malware's name (Google AI Gemini Ultra For PC V1.0.1.msi). I then Googled it and discovered a report containing the MD5 hash value.
Answer 16: BF17D7F8DAC7DF58B37582CEC39E609D
Last updated